Social Network For Security Executives: Help Make Right Cyber Security Decisions
Web Content Filtering
What Is It? Ah, the Internet. Remember the good old days when procrastinating involved some sort of physical activity aside from staring blankly at a screen and clicking a mouse button? Remember when we had to go find a book and look something up that may be out of date by years? Remember when you had to go physically see someone or, goodness forbid, pick up the phone and talk to someone? Remember when you had to turn on the TV to get your weather and news or interact with real people to buy a newspaper, magazine, or purchase homewares? We now have an entire generation entering the workforce that have never known a time before the Internet and people with extensive careers that have always involved online interactions from bulletin board systems to email to instant messaging.
The very fact that nearly our entire existence is lived online makes a solid case for web content filtering. In the era of “Fake News” (a term I’d not heard of until a certain public figure began using it with the frequency of a teenager saying “like”) we need to watch what we consume online more than ever. While email filtering, which I spoke of in another article, targets just one facet of communication, web content filtering is kind of a blanket approach to everything else. There are dozens, if not hundreds, of categories of “things” online ranging from hacking to gambling to pornography that we want to block but just as many we wish to let through like news, weather, and sports. Everyone seems to approach web filtering in a certain way, where researchers and security professionals may filter nothing due to the nature of their jobs, other filter virtually everything.
Web filters can be very busy because, face it, there is a lot to sort out. Virtually every transaction over the internet involves some sort of website that sits somewhere around the world and provides some sort of content. The double-edged sword in all of this is the increasing volume of encrypted traffic where we can more securely communicate but at the same time, also encrypt malicious traffic where traditional web filters have limited effectiveness. When we do have the ability to inspect encrypted traffic, we are again limited since some services, such as banking, react rather poorly to having their content inspected (Read: it breaks it).
In the end, we need to figure out what we need to allow and what we need to block and then inspect both to make sure the good doesn’t get caught up with the bad, and the bad doesn’t masquerade as the good. Despite what some may tell you, web filtering is a bit trickier than it appears, but take heart – getting it right is certainly possible and easier than you think.
Where Do I Start? The first thing is figuring out what you want to block, but also what you want to let through when it comes to web inspection. We all have critical data we need access to, and simply relying on an explicit block list where allowed traffic becomes implied isn’t reliable enough. Different content filters treat traffic differently, so if there are sites and services you absolutely need, be sure to identify them…. but only so far as you absolutely trust them. Hackers are slick at hiding their traffic as legitimate, so even if you allow a site, it’s worthwhile still inspecting. A complete bypass is a rare exception you should avoid. Your corporate IT policy or acceptable use policy (or something similar) should call out the permitted and denied traffic. If you don’t have this type of policy, I’d strongly suggest creating one, and if need be, get the right people involved to help with this. When push comes to shove because one of your staff has done something rather egregious with accessing the Internet, you need an official policy to bail you out. By the way, for bonus points, get your legal team involved – these things can and do end up in court!
Once you have the yes / no situation sorted out, move on to determining your solution. Remember that rare is the product that works perfectly for you right out of the box. Coupled with your official policy, conduct a consulting engagement to figure out the best fit-for-purpose offering underpinned with a solid design, implementation plan, and ongoing support. The threat landscape is evolving, so your defences need to as well. It also needs to keep pace with policy and the changes within your organisation. Again, getting the right people involved to help this journey is paramount. After you’ve got a policy to lean on and a solution selected, it’s time to put it all together.
How do I make It Work? There are no shortage of great vendors and products out there for just about every purpose. Organisations of all sizes in all sectors and verticals want and need web filtering, and the leading vendors know this. In many cases, their ranges are huge and have a lot of value-adds (but just as many things you may not need. Do your homework and don’t over-invest by purchasing capabilities you don’t need, or which are not relevant to your business).
Decide if you want on premise, hosted, or cloud based (or even hybrid) depending on your situation. For those of you with a cloud-first strategy, consider a cloud-based service, but if you still have on premise or hosted equipment, you may need a hybrid approach because you need to filter all your ingress and egress traffic. It’s pretty much a given that the volume of traffic is increasing, so be sure to get a scalable solution you don’t must replace in just a few months.
Products by themselves are not solutions, but getting the right product, using the right architecture and configuration, and underpinning it with solid support and enforcement (including reporting and alerting) is a solution. I cannot stress enough that if you don’t have the skills in-house to run this project end to end including ongoing support, then put your hand up and ask for help. I’d much rather see you succeed that end up disappointed and vulnerable. We’re all on the same side!
Pitfalls? Under-spec’ing the products is a huge pitfall. Always remember that the more traffic you inspect, the more overhead is placed on your system, so be sure to spec the system to handle your peak workloads with room to grow and room to spare. Also, be sure that if you are using other filtering on the same device (virtual or physical) to allow for all of them to be used at once. Web filtering is one thing, but putting application control, intrusion prevention, and encrypted inspection on top of it can really bog things down.
Another one to watch for is availability. If you can afford to do so, use high availability because it would be preferable to remain defended if an appliance fails and fails open (traffic passes uninspected) or fails closed (no traffic flows at all).
The third pitfall is encrypted payload inspection. Realise that not all encrypted traffic can be inspected, most notably banking. Be sure to include this in your planning if you intend to use it (and there is a very real possibility you will with the proliferation of encrypted traffic). You can consider inspecting the unencrypted traffic elsewhere, but that is another article for another day. Always use a defence in depth strategy.
Ghosts in the Machine? I cannot stress enough that human nature will always be the ghost in your machines. Watch out for people trying to bypass filtering by any means, such as by using VPNs on their devices. Shadow IT can appear here if users think they are being unjustly inhibited. Always be sure to base your filtering on policy because people have different ideas of what is “objectionable”. People also seems to adopt a draconian approach to security which ends up hindering productivity rather than helping.
Anything Missing? Change management. Make sure that any time you make a rule change to run it through change management and debate its pros and cons. The ability to track every change and maintain integrity and accountability is crucial. Also, be sure to enforce the rules across the board because the filtering is there to protect everyone and not to spy on what you’re doing. If there are exceptions, such as for researchers or people that require special access, be sure to document, validate, and enforce these with policy. Nobody should have unrestricted internet access in a corporate environment “just because”.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock